Dependabot can't deal with PHP git updates (Requirements to unlock update_not_possible)

[ElijahLynn]

Breaking out of https://github.com/dependabot/feedback/issues/799 with @feelepxyz.

https://github.com/department-of-veterans-affairs/va.gov-cms/blob/master/composer.json has a dependency on https://github.com/department-of-veterans-affairs/vets-website/blob/master/composer.json (https://packagist.org/packages/va-gov/web)

and we have a https://github.com/department-of-veterans-affairs/va.gov-cms/blob/master/.dependabot/config.yml set to update the va-gov/web package and automerge it, but we never get any PRs for it, and the logs say:

updater | INFO <job_18255722> Latest version is aac333ed6a49c91c66bef7cd4815437d4526c239
updater | INFO <job_18255722> Requirements to unlock update_not_possible
updater | INFO <job_18255722> Requirements update strategy bump_versions_if_necessary
updater | INFO <job_18255722> No update possible for va-gov/web e17a3cc82ac8a80b67704f205b44cfd1026e425f****

We discussed in https://github.com/dependabot/feedback/issues/799 already a fair bit. composer update va-gov/web locally works fine.

[ElijahLynn]

Bumping this for a status update.

[feelepxyz]

@ElijahLynn thanks for creating this issue! We're pretty swamped at the moment so struggling to get to this.

We would love any help fixing this if you have the time and expertise. The code is open-source and this is probably where we'd need to make the change: https://github.com/dependabot/dependabot-core/blob/master/composer/lib/dependabot/composer/update_checker/version_resolver.rb

[ElijahLynn]

@ElijahLynn thanks for creating this issue! We're pretty swamped at the moment so struggling to get to this.

We would love any help fixing this if you have the time and expertise. The code is open-source and this is probably where we'd need to make the change: https://github.com/dependabot/dependabot-core/blob/master/composer/lib/dependabot/composer/update_checker/version_resolver.rb

Thanks for pointing this out to me. I didn't know it was opensource (hell yeah!). If I have time to work on this, the main thing I would want to know is how to test this? Is there a way I can open a PR with my changes and have another repo use my PR branch to test against?

Any insight on testing my changes would be great. I'll look through the docs, maybe they explain how.

[feelepxyz]

@ElijahLynn nice one! The easiest option is to use docker to bootstrap the project:

• docker pull dependabot/dependabot-core
• bin/docker-dev-shell

You should be able to run the specs with rspec from the package manager folder, e.g.

• cd composer && rspec spec/dependabot/composer/update_checker/version_resolver_spec.rb

[damienwebdev]

I took a look at this -- https://github.com/dependabot/dependabot-core/commit/898c8d109506e9140c76fbe144087caaec4416ff is the offending commit with the offending line.

 def latest_resolvable_version_with_no_unlock
        return nil if path_dependency? || git_dependency? < --

        @latest_resolvable_version_with_no_unlock ||=
          VersionResolver.new(
            credentials: credentials,
            dependency: dependency,
            dependency_files: dependency_files,
            latest_allowable_version: latest_version_from_registry,
            requirements_to_unlock: :none
          ).latest_resolvable_version
      end

https://github.com/dependabot/dependabot-core/blob/main/composer/lib/dependabot/composer/update_checker.rb#L51

If I were to remove the branch for git_dependency? I wind up with the error:

Traceback (most recent call last):
        15: from bin/dry-run.rb:624:in `<main>'
        14: from bin/dry-run.rb:624:in `each'
        13: from bin/dry-run.rb:678:in `block in <main>'
        12: from /home/dependabot/dependabot-core/common/lib/dependabot/update_checkers/base.rb:45:in `can_update?'
        11: from /home/dependabot/dependabot-core/common/lib/dependabot/update_checkers/base.rb:195:in `version_can_update?'
        10: from /home/dependabot/dependabot-core/common/lib/dependabot/update_checkers/base.rb:223:in `sha1_version_can_update?'
         9: from /home/dependabot/dependabot-core/composer/lib/dependabot/composer/update_checker.rb:58:in `latest_resolvable_version_with_no_unlock'
         8: from /home/dependabot/dependabot-core/composer/lib/dependabot/composer/update_checker.rb:91:in `latest_version_from_registry'
         7: from /home/dependabot/dependabot-core/composer/lib/dependabot/composer/update_checker/latest_version_finder.rb:27:in `latest_version'
         6: from /home/dependabot/dependabot-core/composer/lib/dependabot/composer/update_checker/latest_version_finder.rb:41:in `fetch_latest_version'
         5: from /home/dependabot/dependabot-core/composer/lib/dependabot/composer/update_checker/latest_version_finder.rb:58:in `filter_prerelease_versions'
         4: from /home/dependabot/dependabot-core/composer/lib/dependabot/composer/update_checker/latest_version_finder.rb:84:in `wants_prerelease?'
         3: from /usr/local/lib/site_ruby/2.7.0/rubygems/version.rb:203:in `new'
         2: from /usr/local/lib/site_ruby/2.7.0/rubygems/version.rb:203:in `new'
         1: from /home/dependabot/dependabot-core/composer/lib/dependabot/composer/version.rb:15:in `initialize'
/usr/local/lib/site_ruby/2.7.0/rubygems/version.rb:214:in `initialize': Malformed version number string MY_SHA (ArgumentError)

Note that MY_SHA is the correct updated SHA which is promising, but my Ruby is extremely weak and that's where my analysis stops.

I suspect that there needs to be some handling done in version.rb but I don't know what that handling would be.

def initialize(version)
        @version_string = version.to_s
        super
      end

[github-actions[bot]]

👋 This issue has been marked as stale because it has been open for 2 years with no activity. You can comment on the issue to hold stalebot off for a while, or do nothing. If you do nothing, this issue will be closed eventually by the stalebot. Please see CONTRIBUTING.md for more policy details.